Data ProcessingAgreement

Data processing agreement

Standard contractual clauses

Pursuant to Article 28 (2) 3 of Regulation 2016/679 (the Data Protection Regulation) with a view to the data processor's processing of personal data between

Name COMASYS ApS
Address Unsbjergvej 11 5220 Odense SØ
CVR / VAT DK29404399
Name Tommy Jepsen
Title Manager
Telephone  23201111
mail tommyjepsen@comasys.dk

 

 

 

 

 

 

 

 

 

hereafter “the data processor”

hereafter “the data controller”

each is a “party” and together constitute the “parties”

Has agreed the following standard contractual provisions (The Provisions) in order to comply with the Data Protection Regulation and ensure the protection of privacy and the fundamental rights and freedoms of natural persons

 

Contents

2 Preamble

3 Rights and obligations of the data controller

4 The data processor acts according to instructions

5 Confidentiality

6 Treatment safety

7 Use of sub-processors

8 Transfer of information to third countries or international organizations

9 Assistance to the data controller

10 Notification of breaches of personal data security

11 Deleting and returning information

12 Audit, including inspection

13 The parties' agreements on other matters

14 Entry into force and termination

Appendix A Information about the treatment

Appendix B Sub-processors

Appendix C Instructions regarding the processing of personal data

Appendix D The parties' regulation of other matters, including instructions regarding. processing of personal data

 

2. Preamble

1. These provisions set out the data processor's rights and obligations when it processes personal data on behalf of the data controller.

These provisions are designed to comply with Article 28 (2) of the Parties. 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (Data Protection Regulation ).

3. In connection with the provision of the services agreed in Annex D, the data processor shall process personal data on behalf of the data controller in accordance with these Regulations.

4. The provisions take precedence over any similar provisions in other agreements between the parties.

5. There are four Annexes to these Regulations and the Annexes form an integral part of the Regulations.

Annex A contains details of the processing of personal data, including the purpose and nature of the processing, the type of personal data, the categories of data subjects and the duration of the processing.

7. Annex B contains the data controller's conditions for the data controller's use of sub - data processors and a list of sub-data processors approved by the data controller.

Annex C contains the data controller's instructions regarding the data processor's processing of personal data, a description of the security measures that the data processor must carry out as a minimum and how the data processor and any sub-data processors are supervised.

Annex D contains the parties' "main agreement", including instructions and delivery terms.

10. The provisions and accompanying annexes shall be kept in writing, including electronically, by both parties.

11. These Provisions shall not release the Data Processor from any obligations imposed on the Data Processor under the Data Protection Regulation or any other legislation.

 

3. The data controller's rights and obligations

The data controller shall be responsible for ensuring that the processing of personal data is carried out in accordance with the Data Protection Regulation (see Article 24 of the Regulation), data protection provisions of other Union law or the national law of the EEA Member States and these Regulations.

2. The data controller has the right and duty to make decisions about the purpose (s) and the aids with which personal data may be processed.

3. The data controller is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data, which the data processor is instructed to carry out.

 

4. The data processor acts according to instructions

The data processor may only process personal data in accordance with documented instructions from the data controller, unless required by EU law or the national law of the Member States to which the data processor is subject. This instruction must be specified in Annexes A, C and D. Subsequent instructions may also be given by the data controller while personal data is being processed, but the instruction must always be documented and kept in writing, including electronically, together with these Regulations.

2. The processor shall immediately inform the controller if, in his opinion, an instruction is in breach of this Regulation or data protection provisions of other Union or national law of the Member States.

 

5. Confidentiality

The data processor may only grant access to personal data processed on behalf of the data controller to persons who are subject to the data processor's instructional powers, who have committed confidentiality or are subject to an appropriate statutory duty of confidentiality, and only to the extent necessary. The list of persons who have been granted access must be reviewed on an ongoing basis. On the basis of this review, access to personal data may be closed if access is no longer necessary and the personal data must no longer be available to these persons.

2. The data processor shall, at the request of the data controller, be able to demonstrate that the persons concerned, who are subject to the data processor's powers of instruction, are subject to the above-mentioned duty of confidentiality.

 

6. Treatment safety

Article 32 of the Data Protection Regulation stipulates that the data controller and the processor must take into account the current technical level, the implementation costs and the nature, scope, coherence and purpose of the processing concerned, as well as the risks of varying probability and seriousness of natural persons' rights and freedoms, and organizational measures to ensure a level of protection appropriate to these risks.

The data controller shall assess the risks to the rights and freedoms of natural persons constituting the processing and implementation measures to address these risks. Depending on their relevance, these may include:

a. pseudonymization and encryption of personal information

b. ability to ensure lasting confidentiality, integrity, availability and robustness of treatment systems and services

c. ability to timely restore the availability of and access to personal data in the event of a physical or technical incident

d. a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure treatment safety.

Pursuant to Article 32 of the Regulation, the data controller - independently of the data controller - must also assess the risks to the rights of natural persons constituting the processing and implement measures to address those risks. For the purposes of this assessment, the data controller shall make the necessary information available to the data controller enabling him or her to identify and assess such risks.

In addition, the data controller shall assist the data controller in complying with the data controller's obligation under Article 32 of the Regulation, by, inter alia: to provide the data controller with the necessary information regarding the technical and organizational security measures already implemented by the data controller in accordance with Article 32 of the Regulation and any other information necessary for the data controller to comply with its obligation under Article 32 of the Regulation.

If the response to the identified risks - in the opinion of the controller - requires the implementation of additional measures than those already implemented by the controller, the controller shall list the additional measures to be implemented in Annex C.

 

7. Use of sub-processors

The data processor shall comply with the conditions set out in Article 28 (2) of the Data Protection Regulation. 2, and para. 4, to make use of another data processor (a sub-data processor).

Thus, the Data Processor may not use a sub-data processor to comply with these Regulations without the prior general written approval of the Data Controller.

The data processor has the data controller's general approval for the use of sub-data processors. The data controller must notify the data controller in writing of any planned changes regarding the addition or replacement of sub-data processors with at least 3 weeks notice and thereby give the data controller the opportunity to object to such changes before using the sub-data processor (s) in question. The list of sub-processors already approved by the controller is set out in Annex B.

4. When the data processor uses a sub-data processor to perform specific processing activities on behalf of the data controller, the data processor shall, through a contract or other legal document under EU law or the national law of the Member States, impose on the sub-data processor the same data protection obligations as them , set out in these Provisions, which in particular provide the necessary guarantees that the sub-processor will implement the technical and organizational measures in such a way that the processing complies with the requirements of these Provisions and the Data Protection Regulation.

The Data Processor is therefore responsible for requiring the sub-data processor to at least comply with the Data Processor's obligations under these Regulations and the Data Protection Regulation.

5. Sub-processor agreement (s) and any subsequent amendments thereto shall be sent - at the request of the data controller - in copy to the data controller, who thereby has the opportunity to ensure that corresponding data protection obligations under these Regulations are imposed on the sub-processor. Provisions on commercial terms that do not affect the data protection law content of the sub-data processor agreement shall not be sent to the data controller.

6. In its agreement with the sub-processor, the data controller shall include the data controller as a beneficiary third party in the event of the data processor's bankruptcy, so that the data controller can intervene in the data processor's rights and enforce them against sub-data processors, such as enables the data controller to instruct the sub-processor to delete or return the personal data.

7. If the sub-processor does not fulfill its data protection obligations, the processor remains fully liable to the data controller for the fulfillment of the sub-processor's obligations. This is without prejudice to the data subjects' rights deriving from the Data Protection Regulation, in particular Articles 79 and 82 of the Regulation, vis-à-vis the controller and the processor, including the sub-processor.

 

8. Transfer of information to third countries or international organizations

Any transfer of personal data to third countries or international organizations may only be carried out by the data controller on the basis of documented instructions from the data controller and must always be carried out in accordance with Chapter V of the Data Protection Regulation.

2. If the transfer of personal data to third countries or international organizations that the data controller has not been instructed to perform by the data controller is required by EU law or the national law of the Member States to which the data processor is subject, the data controller shall inform the data controller of these legal claims before processing, unless the court in question prohibits such notification for reasons of important public interest.

Thus, without documented instructions from the data controller, the data processor may not, within the framework of these Provisions:

a. transfer personal data to a data controller or data processor in a third country or an international organization

b. entrust the processing of personal data to a sub-processor in a third country

c. process the personal data of a third country

The data controller's instructions regarding the transfer of personal data to a third country, including any basis for transfer in Chapter V of the Data Protection Regulation on which the transfer is based, shall be set out in Annex C.6.

5. These provisions shall not be confused with standard contractual provisions within the meaning of Article 46 (1) of the Data Protection Regulation. 2 (c) and (d), and these Provisions may not constitute a basis for the transfer of personal data within the meaning of Chapter V of the Data Protection Regulation.

 

9. Assistance to the data controller

The data controller shall, taking into account the nature of the processing, assist the data controller as far as possible by appropriate technical and organizational measures, in compliance with the data controller's obligation to respond to requests for the exercise of data subjects' rights as set out in Chapter III of the Data Protection Regulation.

This means that the data processor must, as far as possible, assist the data controller in connection with the data controller ensuring compliance with:

a. the duty to provide information when collecting personal data from the data subject

b. the duty to provide information if personal data has not been collected from the data subject

c. the right of access

d. the right to rectification

e. the right to erasure ("the right to be forgotten")

f. the right to limit treatment

g. the duty to notify in connection with the correction or deletion of personal data or restriction of processing

h. the right to data portability

i. the right of objection

j. the right not to be the subject of a decision based solely on automatic processing, including profiling

2. In addition to the data controller's obligation to assist the data controller in accordance with Rule 6.4, The data processor further assists the data controller, taking into account the nature of the processing and the information available to the data processor:

a. the data controller's obligation to without undue delay and if possible no later than 72 hours after he has become aware of it, to report breaches of personal data security to the Danish Data Protection Agency at this link https://indberet.virk.dk/myndigheter/stat/ERST / Reporting_of_breaks_of_security, unless it is unlikely that the breach of personal data security involves a risk to the rights or freedoms of natural persons.

b. the data controller's obligation to notify the data subject of a breach of personal data security without undue delay when the breach is likely to entail a high risk to the rights and freedoms of natural persons.

c. the data controller's obligation to carry out an analysis of the intended processing activities for the protection of personal data prior to the processing (an impact assessment).

d. the data controller's obligation to consult the Danish Data Protection Agency before processing, if an impact assessment regarding data protection shows that the processing will lead to a high risk in the absence of measures taken by the data controller to limit the risk.

3. The Parties shall set out in Annex C the necessary technical and organizational measures to assist the data controller and the extent of the data controller. This applies to the obligations arising from Rule 9.1. and 9.2.

 

10. Notification of breaches of personal data security

The data processor shall inform the data controller without undue delay after becoming aware that a personal data security breach has occurred.

2. The data processor's notification to the data controller shall, if possible, take place no later than 24 hours after he has become aware of the breach, so that the data controller can comply with his obligation to report the breach of personal data security to the Data Inspectorate within 72 hours, cf. Article 33 of the Data Protection Regulation.

3. In accordance with Rule 9.2.a, the data controller shall assist the data controller in notifying the breach to the competent supervisory authority. This means that the data processor must assist in providing the following information, which according to Article 33, para. 3, must appear from the data controller's notification of the breach to the competent supervisory authority:

a. the nature of the breach of personal data security, including, if possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data recordings concerned;

b. the likely consequences of the breach of personal data security

c. the measures taken or proposed by the data controller to deal with the breach of personal data security, including, where appropriate, measures to limit its potential harmful effects.

The Parties shall set out in Annex D the information to be provided by the Data Controller in connection with his assistance to the Data Controller in his obligation to report breaches of personal data security to the competent supervisory authority.

 

11. Deletion and return of information

Upon termination of the personal data processing services, the data controller is obliged to delete all personal data that has been processed on behalf of the data controller and to confirm to the data controller that the data has been deleted, unless provided for by EU law or the national law of the Member States: Storage of personal data.

The data processor undertakes to process the personal data only for the purpose (s), during the specified period and under the conditions prescribed by these rules.

 

12. Audit, including inspection

The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with Article 28 of the Data Protection Regulation and these provisions and shall enable and contribute to audits, including inspections carried out by the Data Controller or another auditor, which: is authorized by the data controller.

2. The procedures for the data controller's audits, including inspections, with the data processor and sub-processors are specified in Annex C.7. and C.8.

3. The data controller is obliged to give supervisory authorities who, in accordance with applicable law, have access to the data controller's or data processor's facilities, or representatives acting on behalf of the supervisory authority, access to the data processor's physical facilities against proper identification.

 

13. The parties' agreements on other matters

The Parties may agree on other provisions concerning the service and concerning the processing of personal data concerning e.g. liability as long as these other provisions do not directly or indirectly contravene the Provisions or impair the data subject's fundamental rights and freedoms arising from the Data Protection Regulation.

 

14. Entry into force and termination

1. The provisions shall enter into force on the date of acceptance by both parties.

2. Both parties may demand that the Provisions be renegotiated if changes in the law or inconveniences in the Provisions give rise to this.

3. The provisions shall apply as long as the personal data processing service lasts. During this period, the Provisions may not be terminated unless other provisions governing the provision of the service concerning the processing of personal data are agreed between the parties.

4. If the provision of the personal data processing services ceases and the personal data has been deleted or returned to the data controller in accordance with Rule 11.1 and Annex C.4, the Rules may be terminated with written notice by both parties.

 

 

Appendix A. Treatment information

A.1. The purpose of the data processor's processing of personal data on behalf of the data controller

individual Category

Purpose

Employees

Give employees access to the system so they can solve tasks
Personnel administration and care

customers

Manage financial balances with customers.
Marketing and customer care.

Supplier

Purchasing administration
Supplier Care.
Uncover supplier options.

 

A.2. The data processor's processing of personal data on behalf of the data controller is primarily about the services described in Annex D or the main agreement (the nature of the processing).

 

A.3. The processing includes the following types of personal information about the data subjects

Ordinary personal data (eg name, address, email, telephone number, etc.).

Confidential personal data (CPR Number or Significant Social Issues)

 

A.4. The processing includes the following categories of data subjects

individual Category

Description

Employees

Persons who are or have been employees / board members of the data controller, or are new job applicants.

customers

Persons who are or have been customers / members / clients of the data controller, or are potential customers / members / clients.

Supplier

Persons who are or have been business associates, including suppliers and partners of the data controller, or are potential business associates

A.5. The data processor's processing of personal data on behalf of the data controller may commence after the entry into force of these Regulations. The treatment has the duration specified in Appendix D or the main agreement

 

 

Appendix B. Sub-processors

B.1. Approved sub-processors

Supplier Country Legal basis for processing outside the EU Function

Upon the entry into force of the Regulations, the data controller has approved the use of the above sub-processors for the described processing activity. The data processor may not - without the written consent of the data controller - make use of a sub-data processor for a processing activity other than the one described and agreed or make use of another sub-data processor for this processing activity.

Appendix C. Instructions regarding the processing of personal data

C.1. The object / instruction of the treatment

The data processor's processing of personal data on behalf of the data controller takes place by the data processor performing the processing described in the main agreement / contract or in Annex D.

 

C.2. Security of processing

The following safety precautions have been taken:

In the case of the processing of confidential, sensitive or special categories of personal data, a "high" level of security must always be established.

Technical safety measures (external):

  • SSL encrypted connection with client and server.
  • 2-factor validation by external login.
  • Password is stored encrypted (128-bit encryption).
  • Password changed regularly, approx. every 3 months.
  • Ongoing backup and logging.
  • Sub-processors are in the EU or in the US (all listed on the EU-US Privacy Shield list).
  • The operating environment is separate from development and test environments.

 Technical safety measures (internal):

  • Updated Antivirus on all devices that can access personal data.
  • Updated Firewall on devices that can access personal data as well as on servers / operations centers that may hold personal data.
  • Password changed regularly, approx. every 3 months.
  • Continuous updating of operating systems and applications.
  • Ongoing backup and logging.
  • Encryption is used when transferring confidential, sensitive or special personal information.

Organizational security measures:

  • All employees are instructed in the protection of personal data and have signed an employee instruction.
    • The employee instructions are updated and reviewed at least once a year.
    • The employee instructions are always reviewed with new employees in connection with the employment.
  • All employees are subject to a duty of confidentiality.
  • The overall responsibility for compliance with the security requirements lies with the data processor's management, which is typically represented by the IT manager.
  • Personal data is only available to those employees who have an approval and reason to be able to access this data, and must always be treated confidentially.
  • In the case of a large amount of sensitive personal data, data should be separated where possible so that access is kept to an absolute minimum.

Physical security measures:

  • Offices and buildings are locked when left.
  • Ensure that operation can continue in the event of power outages and possibly redundant communication links
  • Archives with sensitive personal information are always stored locked, where an alarm and monitoring has also been established.
  • Backup is stored locked (both internal and external), an ongoing reload test is performed to ensure that the backup works and contains valid data.
  • All physical media (paper, USB drive, etc.) is safely destroyed if they have been used to store personal data.

Operational safety:

  • Development, Test and Production environments are separate.
    • Development and Testing is done by different people.
  • Capacities are continuously adjusted and checked in relation to maintaining operations.
  • Continuous password change on both internal and external systems.
  • Logging of rejected logon attempts with automatic alerting.

 

C.3. Assistance to the data controller

The data controller shall, as far as possible, assist the data controller in accordance with Regulations 9.1 and 9.2 by implementing the technical and organizational measures specified in Annex C.2.

 

C.4. Storage period / deletion routine

Personal information is stored at the data processor until the data controller requests that the information be deleted or returned, unless otherwise agreed in Appendix D / the main agreement or in special terms.

Upon termination of the personal data processing service, the data controller shall either delete or return the personal data in accordance with provision 11.1, unless the data controller - after signing these provisions - has changed the data controller's original choice. Such changes must be documented and stored in writing, including electronically, in conjunction with the regulations.

 

C.5. Location for treatment

The processing of the personal data covered by the Regulations may not take place without the data controller's prior written consent, at locations other than the data processor's or sub - data processor's locations.

 

C.6. Instructions regarding the transfer of personal data to third countries

The data processor does not transfer personal data to third countries, except to the generally approved sub-data processors listed in Annex B

If the data controller does not in these Regulations or subsequently give a documented instruction regarding the transfer of personal data to a third country, the data processor is not entitled to make such transfers within the framework of these Regulations.

 

C.7. Procedures for the data controller's audits, including inspections, of the processing of personal data left to the data processor

The Data Processor shall, once a year, obtain at its own expense a declaration / inspection report from an independent third party regarding the Data Processor's compliance with the Data Protection Regulation, data protection provisions of other EU law or Member States' national law and these Regulations.

There is agreement between the parties that the following type of statement may be used

Signed independent third parties: Name, address, contact person, telephone, email, possibly DPO stating name, address, telephone and email confirm that they have reviewed the technical and organizational security measures that the data processor has informed the data controller in connection with the conclusion of this data processor agreement.

The declaration / inspection report is made visible / sent without undue delay to the data controller for information. The data controller may challenge the framework and / or method of the declaration / inspection report and in such cases may request a new declaration / inspection report under another framework and / or using another method.

Based on the results of the declaration / inspection report, the data controller is entitled to request the implementation of additional measures to ensure compliance with the Data Protection Regulation, data protection provisions of other EU law or Member States' national law and these Regulations.

In addition, the data controller or a representative of the data controller has access to carry out inspections, including physical inspections, of the sites from which the data processor processes personal data, including physical sites and systems used for or in connection with the processing. Such inspections can be carried out when the data controller deems it necessary. The assessment must be based on facts and not perception. Physical inspection requires prior agreement with the data processors, and with a prior notice of 3 weeks, so that the data processor is prepared to be able to devote the necessary resources to it. ”

Any costs incurred by the data controller in connection with a physical inspection shall be borne by the data controller himself. However, the data controller is obliged to allocate the resources (mainly the time) necessary for the data controller to carry out his inspection.

 

C.8. Audit procedures, including inspections, with the processing of personal data left to sub-processors

The data processor's audits, including inspections, with the processing of personal data left to the sub - data processor take place in the same way as the data controller's audits with the data processor, see section C.7.

 

 

Appendix D. The parties' regulation of other matters, including instructions regarding processing of personal data

See the main agreement / contract entered into between the parties.

Violation of data security:
In the event of a breach of data security, the data controller must enclose documentation of the facts of the breach, its effects, the remedial measures taken, and state whether the data subjects have been notified and, if so, how.